CVE-2023-1594
published 2023-03-23CVE-2023-1594: A vulnerability, which was classified as critical, was found in novel-plus 3.6.2. Affected is the function MenuService of the file sys/menu/list. The…
PriorityP352critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.05%
59.9th percentile
A vulnerability, which was classified as critical, was found in novel-plus 3.6.2. Affected is the function MenuService of the file sys/menu/list. The manipulation of the argument sort leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-223662 is the identifier assigned to this vulnerability.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lfprojects | mlflow | 0 – 2.9.2 | — |
| xxyopen | novel-plus | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
mlflow vulnerable to Path Traversal
ghsa·2024-04-16·CVSS 7.5
CVE-2024-1594 [HIGH] CWE-22 mlflow vulnerable to Path Traversal
mlflow vulnerable to Path Traversal
A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the `artifact_location` parameter when creating an experiment. Attackers can exploit this vulnerability by using a fragment component `#` in the artifact location URI to read arbitrary files on the server in the context of the server's process. This issue is similar to CVE-2023-6909 but utilizes a different component of the URI to achieve the same effect.
GHSA
GHSA-3p66-j558-35f9: A vulnerability, which was classified as critical, was found in novel-plus 3
ghsa_unreviewed·2023-03-23
CVE-2023-1594 [CRITICAL] CWE-89 GHSA-3p66-j558-35f9: A vulnerability, which was classified as critical, was found in novel-plus 3
A vulnerability, which was classified as critical, was found in novel-plus 3.6.2. Affected is the function MenuService of the file sys/menu/list. The manipulation of the argument sort leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-223662 is the identifier assigned to this vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-03-23
Published